Consistent, Engaging Training Key to Raising Employee Security Awareness

Covid-19 isn’t the only pandemic that has upended our lives over the past year and a half — there’s also been a plague of cyberattacks triggered by the global health crisis. An astonishing 90 percent of public- and private-sector organizations experienced increased cyberattacks in 2020, according to a new global study from market research specialist Censuswide.

The hasty transition to remote operations contributed to vulnerabilities. According to the Censuswide report, 93 percent of organizations delayed critical security projects in order to manage the transition to remote work. However, most analysts agree that risky behaviors by remote employees opened the door to many attacks.

In a variety of recent studies, employees admit to routinely disregarding basic security best practices as they seek more expedient or convenient ways to get their work done. Remote workers admit to regularly opening suspicious emails and web links, using unsanctioned applications and uploading company data to personal devices. Research from Stanford University suggests that employee errors are the root cause of nearly 90 percent of security breaches.

Forget About It

Although organizations are attempting to correct these behaviors with security awareness training, new research suggests the benefits are short-lived. Researchers from several German universities say employees forget much of what they’ve learned after just a few months unless training is repeated regularly.

The researchers tested subjects at regular intervals over a one-year period to evaluate the effectiveness of training programs. They found security awareness was significantly improved for up to five months after training, but that subjects began reverting to old habits after that. The researchers concluded that training should be repeated every six months.

A new study from Osterman Research echoes those results. The firm found that employees who receive more than 15 minutes of training each month demonstrated marked improvements in their ability to identify and deal with a variety of threats when compared to those receiving less training.

However, regular awareness training has little value if it is poorly executed. Almost 90 percent of the Osterman respondents said their security awareness training was ineffective because the training materials were unimaginative, boring, poorly written or irrelevant. The study also found that users who considered their training to be “very interesting” were 13 times more likely to make fundamental changes in their security practices.

SageNet’s Approach

Developing a compelling and effective security training program is a challenge for IT security pros. It is usually just an additional task added to other job requirements. Given their time constraints, it isn’t surprising that most training coordinators put together programs consisting largely of email reminders, information sheets and PowerPoint presentations. From the employee’s standpoint, such training can feel almost like punishment.

SageNet understands the challenge and has partnered with Knowbe4 to deliver automated security awareness programs with included phishing tests as essential components of our SageSECURE cybersecurity practice. Working closely with the training professionals at KnowBe4, we offer customers programs that can utilize a variety of techniques to keep things interesting and engaging.

Of course, even with regular training users will make mistakes. That’s why it’s still important to have security monitoring and active endpoint detection and response (EDR) in place. Through our managed EDR, security information, event management, and monitoring offerings, the SageNet team will identify and contain threats, restore affected systems and data, and help ensure that the threat will not recur.

Consistent training and education programs reinforce that security is a core company value and help boost employee diligence. These programs should be confined with technical controls that effectively detect and contains threats. SageNet can work with you to tailor a program that fits your needs.